IETF Logo Mail Archive

Re: [TLS] PQC key exchange sizes

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 26 July 2022 15:21 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2345BC16ECB9 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 08:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Es8uuwvWIog for <tls@ietfa.amsl.com>; Tue, 26 Jul 2022 08:21:54 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60110.outbound.protection.outlook.com [40.107.6.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD422C16ECCD for <tls@ietf.org>; Tue, 26 Jul 2022 08:21:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OnLUxdQHceRkz6K6jfuNkJQ8Ykr7GIapZjvXI/zZ2eHdkb12gESl08t/weFzqQuw2/HPGZrCrJliDb2dkoKZkmCoLD9hfOjgvpodsvVxBdL0JlxaIffWmx9M/q0bzJyB3ZFn/m7hF/BNk2m8yYhCUFMw4NCRm1OtRzu369X6FP11Su55LUsYlpRzc+GzrSB0YjcCCfk64ESzwAk4FNy1bJowZ1Pc2ijBdVqnPDJNtOS3ebEusbeoBqD1dBgR+z+epU0C+WaMO5/kzR6RBVrOEIDcUNNJtc3El+qW5XYlAzf5XrfhPMaMidJ+fJL3OU0D1IxzKoDZ8dzdcqp5U+wGKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N13c6AYxQoZEW8HEI3b+MW5rueWSk1FloMDF5rvy++s=; b=ZERHdK+fh2c4rkNVnbowOub9fEQ8K5n0lMnnJnwfB06q5t5ffCJtZSkUxrS16unN6xaByZvxKhnluwo3zviRoM7X3bnazHZVThL6yyQKCJlTOaacx/vj2KCOt7WTWZ0nMEXBmblvpSLVmKN3litx4qRa3ax4W+v9P7YRgR2jjPoduy/uxNImTfdoOubouCCNBkqvFZJGP8rAWO/0VpDsmUkiPQX8kAjmJPbtcE1QTZtP6SFmfpPZVCQN0dB8mOt9/tRGmVb3OcHqPw/C0fJPnnzR9geBBSwBXZgqHCb61yGV4pXjCPHml7rev8TxgCQfYbDrqYOE/qGs0tSbFAbkcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N13c6AYxQoZEW8HEI3b+MW5rueWSk1FloMDF5rvy++s=; b=PNLdYYrbuVXVxEv6huUgJFf7PhsYI3sFyFbst0N8rtwvxtGMxaENJPBmj5qIV9lrgXv9gjtXJHb9LihPtCoXWWip1AbPzHIkCyAguVJzkpshrwce7BP5KRHjOqSRCJBmqSArC8Ob3aX+CUA6+pwnL9Ap9l9OvBIVYuEyDthVc6IEphuJEp+PCCagDF94bJuhfIRTYC9LL5zw7XKepnw/kJD3ocxl8qhKXmJIslHSGWX9miE2HkoTVIojcUXvDcqQjVWHEZEeCpIMm8P99YZhEbHiJmunlhxPh9e6RmM4VDwogmTM9yWLniJKkm177yR0vGxTtMu4BTXf6rLAnTz+tg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AM9PR02MB7108.eurprd02.prod.outlook.com (2603:10a6:20b:266::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.23; Tue, 26 Jul 2022 15:21:50 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::d830:4607:5f3c:1508]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::d830:4607:5f3c:1508%4]) with mapi id 15.20.5458.018; Tue, 26 Jul 2022 15:21:50 +0000
Message-ID: <dafc791e-2224-6af1-ae16-7d6996ea8008@cs.tcd.ie>
Date: Tue, 26 Jul 2022 16:21:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Thom Wiggers <thom@thomwiggers.nl>, tls@ietf.org
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------l5TggyFkcFMbznHyLdik00XH"
X-ClientProxiedBy: MN2PR16CA0002.namprd16.prod.outlook.com (2603:10b6:208:134::15) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 107c5779-ca1a-4936-3232-08da6f1a8fb3
X-MS-TrafficTypeDiagnostic: AM9PR02MB7108:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 6RjSBv4ddfSPoGOUdQ9IN2jyjpUZy51PHFyi74SaY9ZuNsfi4XF5p7DeZkaH9S6qKHte9FBPpGpMnP9zcjf8uVS6rL20OyrIjoZdZbl4gYYsK+H5sqs/LvfJJJ73UZRkZemQua1R2WikoEBRht3JGmoIxDuEA3WfJfi0GfKWrhSMjnELXPbhRPYop8QDFaoZDShdeGibtq0qub92XcAgHmA8dBfGkAGtYHzMcd0K3FAAMdlHmhyz3+e9aJElW+OM2g6nHfs3lwXCQmIWJqS+W01pR+CCyK/j8m7YeNVuhPk40+zyep4abjDMsIMWGXCCPnwsZQFyZ+Rbl7B5G0jxjfb3Rz5lpaqQezgDcQYZaeZ5oXhl2MslrJ/d0wXYWiR7qi3oaF5K5+7QPxXwEkB/KbQROrUxx4+ZxrDMvZ9GUV6wWsijBAlnloXkMIqOF23KiVaFqLYx31/vJR/ro1ADBUDT0r6JOboSBbdFv4GmvElB1qf0pTvmuMr5+hrBMshNhB3XUz+599eyNFX0Zh+sos9MLiJJrz9Uq++CCNc2no146zy3tEszaSAGJrkkl/BPqr8NyJxIUYTDdd9nzkQCQHbm7yYCVWifJRdljdHXVDTOxbgO3ToWTPX1iyQYexYnK7u8343Mhf1l99HH6Lc6DjLyCeIszNlDr7SgNulRlF7u3zWxg4tpRV+ug0jOs3tYauPt/wEpsIaY/BPlmBlg7Lbq31VfpSFLLYtBnlejBiFfaXqwQ2uM1uQoMSa0GPfwUWJYzl3BDp6fZ6bqELwTFUd86mJaGC2GScMsfS1KxZcmi0BMoJg2gS++58vSFw1f8MQCtg19bO7dbKSspLEDJEcxvOUTwlZN33++72/01K0=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(396003)(39860400002)(366004)(376002)(346002)(966005)(6486002)(2906002)(786003)(41300700001)(6666004)(31696002)(478600001)(316002)(66556008)(66946007)(5660300002)(66476007)(44832011)(8676002)(235185007)(8936002)(186003)(83380400001)(31686004)(6506007)(33964004)(38100700002)(53546011)(26005)(2616005)(36756003)(86362001)(21480400003)(6512007)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Sb8BCv2L07I6HnAX8iuZwqz2k+NwqQDhA/lAGiOSMKTgVqx6s3GZUCV1fgjGgDbOEoi/PrTYK4HBhBGYz057A7qBpmxQyP+w2q4DzhoCfxENmJx59DZvxDqbzDQKIOwRfsFAfrC/6Y9HhaV1Y4ZiZTRw+ssF0iWhVU/UJ07kvuEeaQNC7ATARZDCyiG0oj+TwSgVMSNv93NE/xJ2PiWj6MzqciQtA6ieOkb9C8XhSAzf/mTITRNv09tSgusYN0DNHOqjO5I5XDSusjWNUb1UsRJOd17FdnOsEN8oqM7KCahu0j43Y2R5afizKF5YVFAq7x5eDGvQur5IR8j5bydJcLB30vIsyjiNPxVOL+p1OmBYAzSqkyZ+Src4UKmCxfjKLS2gaYdrUwT+ibMyFyKGdAJaTbjinw65XLJS4K/6RCnrc44ZLE+NAupIuk2MVVlPaEoxrj2TQXJKTC4SkWsKldp5d0hasq/UZLRzGctJOWLJlBrJys2KUbQlDc+8ccVWEq7hY37AwsuYBKvP+B5IJLLTgoAnnLpgWZm16lFdf+Cqxfg0EozI2BuSmCFQMz87p39uJ20GY/eC0myqqaGqmTLdtb/BZwaKOc9pA/SLivdUHIiQMhBRoKv7ALMXABUoSDBbXP+PDrJLp1N+vi8CgbuvtJevDzbxeBI51/wrubD6u63FOly3UEGtBMIvD55NiP7OjEY0IXcrICFUndc0HjvYkCsbQL0GbvdzM0FSFDEnvm6MveLckJPUF6YgCualXQUM9uR5sK3M/AkAeBCiieVPklTQE0G8gw1aPZq3HU3qZQIqNxZmEdxnzXNqKHX1ziuU4suX6Ml50GtH1a9bqyuf9v2IWM/dPKRn3jVGxo0XUaUVTpVY1lPbekXaxI1tW939SlXop4kMVF0M5TZkH9Kb7uWkKqvBVPg1ExKynmd66Ndatiz9YnbacgScM9PUZLvgQzsUgDnRAU6VRSoJPrflDjagCtudBH5KqrVhXvILNeGqStwraNMjLpymbEWUjV1x3JMGTPv3R9LP6ea29Jcp/MSrYdRSCBs2jXH268tdwTlAS79nuOJZJyO09IbUsnDPRD3xqTn9o0sGA3hFNeFXtUPJk4WEZMsOYA+YNdtjY3hIdNCmcrCm7husULG7ogOijrRbj0g1b+GNJkweNfwKkFQ/5/cn6wlAdpwPaQuHm2ZxqYVpk6i6vcNBr293zKZyA6WFqW05lneDoXomU9oSvaOheNN8v0QpuaGNP6MRlyr5FffpqGFhYlFNg6D6Ml3oT+jzVcThkyRiD6EX+lp+p7TGeUoYsgrXQoYsGz+YYpmrMEJ0oxsPff48N3RhnHYvkXDtEhfeu6k4wQQ/H9G3q1xLpQG1sCCAFhw6/iHgSNUxmkk1oIBuKrqjyeqpCELunhMCfytpfRS4U+3m6fkrItauMNxHiz2Kp8za3Q/cstW3y5qKy+M8KYgXECxEYIWO5zbmL6duQGCeWWz2Wzsioz+Fp2j1InzVdox31i/36PoCQCJqgVWjPHFRBa+VJXC1yZPauTiez6+FQmB19McYZD1uozfuu/u9c0q8a5fy498fc365rpMDIUaUrVRI
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 107c5779-ca1a-4936-3232-08da6f1a8fb3
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2022 15:21:50.0658 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3gkusrycnZlLFqGlvYf7KQl90a9FBWPIi/Iytx6na5+fMIrHVUh0kgLUO6miyWlF
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR02MB7108
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UZIWFnZZtoFd0hPzfMWGd7TLE-4>
Subject: Re: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 15:21:59 -0000


On 26/07/2022 13:15, Thom Wiggers wrote:
> Hi all,
> 
> In yesterday’s working group meeting we had a bit of a discussion of the
> impact of the sizes of post-quantum key exchange on TLS and related
> protocols like QUIC. As we neglected to put Kyber’s key sizes in our slide
> deck (unlike the signature schemes), I thought it would be a good idea to
> get the actual numbers of Kyber onto the mailing list.
> 
> Note that in the context of TLS’s key exchange, the public key would be
> what goes into the ClientHello key_shares extension, and the ciphertext
> would go into the Server’s ServerHello key_shares extension.
> 
> Kyber512: NIST level I, "strength ~AES128"
>    public key: 800 bytes
>    ciphertext: 768 bytes
>    secret key: 1632 bytes

Be interested in how that'd change the CH if ECH is used too.
I guess the answer mightn't make us happy;-)

S.

> Kyber768: NIST level III, "~AES192"
>    public key: 1184
>    ciphertext: 1088
>    secret key: 2400 bytes
> Kyber1024: NIST level V, "~AES256"
>    public key: 1568
>    ciphertext: 1568
>    secret key: 3168
> 
> So for the key exchange at least, it seems to me Kyber512 should work for
> TLS and QUIC just fine; Kyber768 might be a bit of a squeeze if you want to
> stay in QUIC’s default 1300 byte initial packet? Also, I don't really know
> how the D of DTLS might change the story.
> 
> All the numbers we reported are as of the latest version of the individual
> submissions (except as discussed below). The standards that NIST eventually
> names FIPS-xyz might have (mildly) different sizes. NIST has said that
> they’re always happy to receive feedback and information about use cases
> and constraints.
> 
> Lastly, Bas Westerbaan has talked about a Kyber draft in yesterday’s CFRG
> meeting. I believe a stated goal is to use that for coordinating any
> experiments before the NIST standard is out. So keep an eye out if that
> interests you.
> 
> Cheers,
> 
> Thom
> 
> PS: Let me also correct the mistake I had introduced in the SPHINCS+
> numbers in the TLS talk: SPHINCS+ has indeed gotten slightly smaller than
> the numbers I reported. The smallest SPHINCS+ variant (sphincs+-128s) has a
> signature size of 7,856 bytes. There’s a nice table with the different
> parameter sets of SPHINCS+ on their Github repository
> https://github.com/sphincs/sphincsplus#parameters. I’m glad that people
> were paying attention, apparently more than I was :-)
> 
> I will also clarify that when we mentioned that Falcon needs very careful
> attention when implementing, this concerns Falcon's signing routines. These
> require constant-time double-width floating point maths; on many CPUs this
> will need to be emulated in software. Verification, on the other hand, is a
> lot less sensitive.
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email